XSS-SAFE: A Server-Side Approach to Detect and Mitigate Cross-Site Scripting (XSS) Attacks in JavaScript Code

Abstract

Nowadays, Web applications are considered to be one of the most ubiquitous platforms for providing the information and service release over the World Wide Web, particularly those deployed in health care, banking, e-commerce operations, etc. Boom of social networking sites and modern Web applications that transfer dynamic information to the client-side Web browsers has increased the user-generated and feature-rich HTML content on the Internet. This enhanced HTML content includes a malicious attack vector for Web-related attacks. Cross-site scripting (XSS) attacks are presently the most exploited security problems in modern Web applications and activated by an attacker to utilize the vulnerabilities of the poorly written Web application source code. Users across all over the popular social networking Web sites are exposed to XSS attacks. These attacks are generally caused by the malicious scripts, which do not validate the user-injected input appropriately and exploit the vulnerabilities in the source code of the Web applications. It results in the loss of confidential information such as stealing of cookies, theft of passwords, and other private credentials. In this paper, we propose a robust framework known as XSS-SAFE (Cross-Site Scripting Secure Web Application FramEwork), which is a server-side automated framework for the detection and mitigation of XSS attacks. XSS-SAFE is designed based on the idea of injecting the features of JavaScript and introduced an idea of injecting the sanitization routines in the source code of JavaScript to detect and mitigate the malicious injected XSS attack vectors. We repeatedly inject the feature content, generate rules, and insert sanitization routines for the discovery of XSS attacks. We have evaluated our approach on five real-world JavaServer Pages (JSP) programs. The results indicate that XSS-SAFE detects and mitigates most of the previously known and unknown XSS attacks with minimum false positives, zero false-negative rate, and low runtime overhead.